Hello, I saw this issue arose previously in the mailing list, but I'm not sure what the resolution was. I'm running syslog-ng 1.4.11 on AIX 4.3.3. This machine is meant to be a loghost for a number of different kinds of systems including other AIX boxes. I'd like to organize messages into a directory structure on a per-host basis (a typical syslog-ng use, I assume). The trouble is that the hostname is improperly interpreted upon receipt of messages from other AIX machines. Thus, strange output files appear. The following is a sample of my syslog-ng.conf: ###################################################################### source s_ccso { unix-dgram("/dev/log"); udp(ip(0.0.0.0) port(514)); internal(); }; destination d_psg_connections { file("/services/syslog/systems/$HOST/connections-$YEAR$MONTH$DAY" owner(psg) group(psg) perm(0600) dir_perm(0755) create_dirs(yes)); }; filter f_psg_connections { facility(local3) and level(info); }; log { source(s_ccso); filter(f_psg_connections); destination(d_psg_connections); }; ###################################################################### Using a test program, I generate a bunch of messages on a remote AIX client host that end up looking like this (at LOCAL3.INFO) in the *remote client* log: Mar 21 15:06:44 vader TEST[4234]: (0) TEST MESSAGE (0) Mar 21 15:06:44 vader TEST[4234]: (1) TEST MESSAGE (1) Mar 21 15:06:44 vader TEST[4234]: (2) TEST MESSAGE (2) Mar 21 15:06:44 vader TEST[4234]: (3) TEST MESSAGE (3) Mar 21 15:06:44 vader TEST[4234]: (4) TEST MESSAGE (4) Mar 21 15:06:44 vader TEST[4234]: (5) TEST MESSAGE (5) Mar 21 15:06:44 vader TEST[4234]: (6) TEST MESSAGE (6) Mar 21 15:06:44 vader TEST[4234]: (7) TEST MESSAGE (7) Mar 21 15:06:44 vader TEST[4234]: (8) TEST MESSAGE (8) Mar 21 15:06:44 vader TEST[4234]: (9) TEST MESSAGE (9) Mar 21 15:06:44 vader TEST[4234]: REPS: 10 Time: 0 s 1 ms 886 us The remote host (vader) sends these to the loghost, as well; but rewrites them since that's what AIX's syslogd does. They land in the following location on the loghost: /services/syslog/systems/From/connections-20010321 ^^^^ Note the incorrect hostname. This is what they look like inside that particular log: Mar 21 15:06:44 From/vader vader: TEST[4234]: (0) TEST MESSAGE (0) Mar 21 15:06:44 From/vader vader: TEST[4234]: (1) TEST MESSAGE (1) Mar 21 15:06:44 From/vader vader: TEST[4234]: (2) TEST MESSAGE (2) Mar 21 15:06:44 From/vader vader: TEST[4234]: (3) TEST MESSAGE (3) Mar 21 15:06:44 From/vader vader: TEST[4234]: (4) TEST MESSAGE (4) Mar 21 15:06:44 From/vader vader: TEST[4234]: (5) TEST MESSAGE (5) Mar 21 15:06:44 From/vader vader: TEST[4234]: (6) TEST MESSAGE (6) Mar 21 15:06:44 From/vader vader: TEST[4234]: (7) TEST MESSAGE (7) Mar 21 15:06:44 From/vader vader: TEST[4234]: (8) TEST MESSAGE (8) Mar 21 15:06:44 From/vader vader: TEST[4234]: (9) TEST MESSAGE (9) Mar 21 15:06:44 From/vader vader: TEST[4234]: REPS: 10 Time: 0 s 1 ms 886 us ^^^^ Notice how the word "From" squeezes its way into the hostname. This is what the log would have looked like if done by AIX's native syslogd: Mar 21 15:19:39 vader From vader: TEST[4248]: (0) TEST MESSAGE (0) Mar 21 15:19:39 vader From vader: TEST[4248]: (2) TEST MESSAGE (2) Mar 21 15:19:39 vader From vader: TEST[4248]: (1) TEST MESSAGE (1) Mar 21 15:19:39 vader From vader: TEST[4248]: (3) TEST MESSAGE (3) Mar 21 15:19:39 vader From vader: TEST[4248]: (4) TEST MESSAGE (4) Mar 21 15:19:39 vader From vader: TEST[4248]: (5) TEST MESSAGE (5) Mar 21 15:19:39 vader From vader: TEST[4248]: (6) TEST MESSAGE (6) Mar 21 15:19:39 vader From vader: TEST[4248]: (7) TEST MESSAGE (7) Mar 21 15:19:39 vader From vader: TEST[4248]: (8) TEST MESSAGE (8) Mar 21 15:19:39 vader From vader: TEST[4248]: (9) TEST MESSAGE (9) Mar 21 15:19:39 vader From vader: TEST[4248]: REPS: 10 Time: 0 s 1 ms 923 us So the "From" comes out of what AIX's syslogd sends to the loghost when it forwards its own messags. This particular format is what you get when you run AIX's syslogd with the '-s' command-line option; normally it's even more obnoxious (I learned this on this mailing list). This more verbose, obnoxious output causes the same problem. I'll use it to make another quick example of the problem. This is from the same AIX client running native syslogd without '-s': On the client (remote host): Mar 21 15:30:28 vader TEST[4270]: (1) TEST MESSAGE (1) Mar 21 15:30:28 vader TEST[4270]: (2) TEST MESSAGE (2) On the loghost (running AIX's syslogd): Mar 21 15:30:28 vader Message forwarded from vader: TEST[4270]: (0) TEST MESSAGE (0) Mar 21 15:30:28 vader Message forwarded from vader: TEST[4270]: (1) TEST MESSAGE (1) A similar example, on the loghost running syslog-ng (these are mistakenly located in /services/syslog/systems/Message/connections-20010321): ^^^^^^^ Mar 21 15:34:33 Message/vader forwarded from vader: TEST[4282]: (0) TEST MESSAGE (0) Mar 21 15:34:33 Message/vader forwarded from vader: TEST[4282]: (1) TEST MESSAGE (1) ^^^^^^^ Notice both AIX's obnoxious message prefix string and how syslog-ng handles it when interpreting the hostname. This server will be hosting logs for lots of people's machines; I can't mandate that everybody uses syslog-ng. Some people are going to run AIX boxes and so I'll have to put up with these kinds of messages. Is there anything syslog-ng can do? Is this addressed in the development version? Thanks for your help! -- Jonathan Marks Systems Administrator, Production Systems Group Computing and Communication Services Office University of Illinois at Urbana-Champaign